it 'does not find brands not associated with user' do
brand = create(:brand)
sign_in_as create(:user)
assert_raises(ActiveRecord::RecordNotFound) do
get :new, brand_id: brand.to_param
end
end

Rails returns a 404 when ActiveRecord::RecordNotFound is raised. This error
will be raised in our access control scheme because there is no record of the
current_user having a relationship to this brand.

This authorization approach requires few lines of code and no extra gem
dependencies beyond Rails and Clearance. It leans heavily on the framework,
stays DRY, and uses normal
authentication and RESTful conventions. It’s easy to test and I know where those
tests should go.

If you enjoyed this post, you might also like:

Want to level up your testing game?
Learn about testing Rails applications and TDD
in our new book
Testing Rails.
The book covers each type of test in depth,
intermediate testing concepts,
and anti-patterns that trip up even intermediate developers.